SlideShare a Scribd company logo

IPSec—An Overview Explains How It Secures IP Communications

Download as PPT, PDF
aminpathan11
aminpathan11
EducationTechnology
1 of 24
IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
The IPSec Security Model Secure Insecure 7
IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
IPsec Architecture Transport Mode Router Router Tunnel Mode 10
Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24

Recommended

Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 

Recommended

Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
Unit 6
Unit 6Unit 6
Unit 6KRAMANJANEYULU1
 
I psec
I psecI psec
I psecnlekh
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
ip security
ip securityip security
ip securityChirag Patel
 
I psec
I psecI psec
I psecahmad1986jor
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 

More Related Content

What's hot

IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
I psec
I psecI psec
I psecnlekh
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 

What's hot (19)

IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Ip security
Ip security Ip security
Ip security
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Unit 6
Unit 6Unit 6
Unit 6
 
I psec
I psecI psec
I psec
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsec
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
IP Security
IP SecurityIP Security
IP Security
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Ipsec
IpsecIpsec
Ipsec
 
Ipsec
IpsecIpsec
Ipsec
 
IP Security
IP SecurityIP Security
IP Security
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
ip security
ip securityip security
ip security
 

Similar to IPSec—An Overview Explains How It Secures IP Communications

The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Multilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsMultilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsNasir Bhutta
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).pptDivyaSek
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 

Similar to IPSec—An Overview Explains How It Secures IP Communications (20)

I psec
I psecI psec
I psec
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
I psecurity
I psecurityI psecurity
I psecurity
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Multilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsMultilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet Protocols
 
IPSec
IPSecIPSec
IPSec
 
Chapter 6.ppt
Chapter 6.pptChapter 6.ppt
Chapter 6.ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
IPSEC
IPSECIPSEC
IPSEC
 
ESP.ppt
ESP.pptESP.ppt
ESP.ppt
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 

More from aminpathan11

4 g technology by amin
4 g technology by amin4 g technology by amin
4 g technology by aminaminpathan11
 
Cloud computing by amin
Cloud computing by aminCloud computing by amin
Cloud computing by aminaminpathan11
 
Access control by amin
Access control by aminAccess control by amin
Access control by aminaminpathan11
 
Tracing an email by Amin Pathan
Tracing an email by Amin PathanTracing an email by Amin Pathan
Tracing an email by Amin Pathanaminpathan11
 
Human resource management by Amin
Human resource management by AminHuman resource management by Amin
Human resource management by Aminaminpathan11
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
VPN by Amin Pathan
VPN by Amin PathanVPN by Amin Pathan
VPN by Amin Pathanaminpathan11
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Forms of ownerships in Management
Forms of ownerships in ManagementForms of ownerships in Management
Forms of ownerships in Managementaminpathan11
 

More from aminpathan11 (15)

E wallet by amin
E wallet by aminE wallet by amin
E wallet by amin
 
4 g technology by amin
4 g technology by amin4 g technology by amin
4 g technology by amin
 
Cloud computing by amin
Cloud computing by aminCloud computing by amin
Cloud computing by amin
 
Hololens
HololensHololens
Hololens
 
Biometric by amin
Biometric by aminBiometric by amin
Biometric by amin
 
Access control by amin
Access control by aminAccess control by amin
Access control by amin
 
Tracing an email by Amin Pathan
Tracing an email by Amin PathanTracing an email by Amin Pathan
Tracing an email by Amin Pathan
 
Human resource management by Amin
Human resource management by AminHuman resource management by Amin
Human resource management by Amin
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
VPN by Amin Pathan
VPN by Amin PathanVPN by Amin Pathan
VPN by Amin Pathan
 
ISDN
ISDNISDN
ISDN
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
PSTN
PSTNPSTN
PSTN
 
Management
ManagementManagement
Management
 
Forms of ownerships in Management
Forms of ownerships in ManagementForms of ownerships in Management
Forms of ownerships in Management
 

Recently uploaded

microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 

Recently uploaded (20)

microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 

IPSec—An Overview Explains How It Secures IP Communications

  • 1. IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
  • 2. Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
  • 3. IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
  • 4. Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
  • 5. Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
  • 6. Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
  • 7. The IPSec Security Model Secure Insecure 7
  • 8. IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
  • 9. IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
  • 11. Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
  • 12. IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
  • 13. Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
  • 14. AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
  • 15. Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
  • 16. ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
  • 17. Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
  • 18. IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
  • 19. IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
  • 20. How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
  • 21. SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
  • 22. IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
  • 23. IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
  • 24. Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24